CycloneDX · prabhu · Mar 5, 2025 · Mar 5, 2025 · Mar 5, 2025 · Mar 5, 2025
@@ -164,7 +164,7 @@ RUN set -e; \
     && echo 'extension=timezonedb.so' >> /etc/php.ini \
     && php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');" && php composer-setup.php \
     && mv composer.phar /usr/local/bin/composer \
-    && gem install bundler \
+    && gem install bundler cocoapods \
     && gem --version \
     && bundler --version \
     && cd /opt/cdxgen && corepack enable && corepack pnpm install --config.strict-dep-builds=true --prod --package-import-method copy && corepack pnpm cache delete \

@@ -130,7 +130,7 @@ RUN set -e; \
     && echo 'extension=timezonedb.so' >> /etc/php.ini \
     && php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');" && php composer-setup.php \
     && mv composer.phar /usr/local/bin/composer \
-    && gem install bundler \
+    && gem install bundler cocoapods \
     && gem --version \
     && bundler --version \
     && chmod a-w -R /opt \

@@ -161,7 +161,7 @@ RUN set -e; \
     && echo 'extension=timezonedb.so' >> /etc/php.ini \
     && php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');" && php composer-setup.php \
     && mv composer.phar /usr/local/bin/composer \
-    && gem install bundler \
+    && gem install bundler cocoapods \
     && gem --version \
     && bundler --version \
     && chmod a-w -R /opt \

@@ -103,7 +103,7 @@ RUN set -e; \
     && echo 'extension=timezonedb.so' >> /etc/php.ini \
     && php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');" && php composer-setup.php \
     && mv composer.phar /usr/local/bin/composer \
-    && gem install bundler \
+    && gem install bundler cocoapods \
     && gem --version \
     && bundler --version
 COPY . /opt/cdxgen

@@ -174,7 +174,7 @@ RUN set -e; \
     && echo 'extension=timezonedb.so' >> /etc/php.ini \
     && php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');" && php composer-setup.php \
     && mv composer.phar /usr/local/bin/composer \
-    && gem install bundler \
+    && gem install bundler cocoapods \
     && gem --version \
     && bundler --version \
     && cd /opt/cdxgen && corepack enable && corepack pnpm config set global-bin-dir /opt/bin \

@@ -20,7 +20,7 @@ RUN apt-get update && apt-get install -qq -y --no-install-recommends curl bash b
     && ./tmp/install.sh && rm /tmp/install.sh \
     && node -v \
     && npm -v \
-    && gem install bundler \
+    && gem install bundler cocoapods \
     && apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false \
     && rm -rf /var/lib/apt/lists/*
 

@@ -18,7 +18,7 @@ RUN apt-get update && apt-get install -qq -y --no-install-recommends curl bash b
     && ./tmp/install.sh && rm /tmp/install.sh \
     && node -v \
     && npm -v \
-    && gem install bundler \
+    && gem install bundler cocoapods \
     && apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false \
     && rm -rf /var/lib/apt/lists/*
 

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "11.2.0",
+  "version": "11.2.1",
   "exports": "./lib/cli/index.js",
   "compilerOptions": {
     "lib": ["deno.window"],
@@ -48,7 +48,7 @@
     "gen-types": "npx -p typescript tsc"
   },
   "imports": {
-    "@appthreat/atom": "npm:@appthreat/[email protected].12",
+    "@appthreat/atom": "npm:@appthreat/[email protected].13",
     "@appthreat/cdx-proto": "npm:@appthreat/[email protected]",
     "@babel/parser": "npm:@babel/parser@^7.26.7",
     "@babel/traverse": "npm:@babel/traverse@^7.26.7",
@@ -78,7 +78,7 @@
     "yoctocolors": "npm:yoctocolors@^2.1.1",
     "jest": "npm:jest@^29.7.0",
     "@jest/globals": "npm:@jest/globals@^29.7.0",
-    "sequelize": "npm:sequelize@^6.37.3",
+    "sequelize": "npm:sequelize@^6.37.6",
     "sqlite3": "npm:sqlite3@^5.1.7",
     "body-parser": "npm:body-parser@^2.0.1",
     "compression": "npm:compression@^1.7.5",

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "11.2.0",
+  "version": "11.2.1",
   "exports": "./lib/cli/index.js",
   "include": ["*.js", "lib/**", "bin/**", "data/**", "types/**"],
   "exclude": [

@@ -5031,14 +5031,20 @@ export async function createCocoaBom(path, options) {
     `${options.multiProject ? "**/" : ""}Podfile`,
     options,
   );
+  if (cocoaFiles.length > 1) {
+    thoughtLog(
+      `There are ${cocoaFiles.length} pod files. I will carefully process each one.`,
+    );
+  }
+  let excludeMessageShown = false;
   for (const podFile of cocoaFiles) {
     const projectPath = dirname(podFile);
     const lockFile = `${podFile}.lock`;
-    if (!existsSync(lockFile)) {
+    if (!existsSync(lockFile) || options.deep) {
       if (options.installDeps) {
         executePodCommand(["install"], projectPath, options);
       } else {
-        console.error(
+        console.log(
           "No 'Podfile.lock' found and '--no-install-deps' is set -- A Podfile.lock is needed to parse dependencies!",
         );
         options.failOnError && process.exit(1);
@@ -5095,6 +5101,12 @@ export async function createCocoaBom(path, options) {
       process.env.COCOA_EXCLUDED_TARGETS.split(",").forEach((excludedTarget) =>
         usedTargets.delete(excludedTarget),
       );
+      if (!excludeMessageShown) {
+        thoughtLog(
+          "Wait, the user wants me to exclude certain targets from this CocoaPods project. Perhaps they don't want dev and test projects included in the SBOM 🤔?",
+        );
+        excludeMessageShown = true;
+      }
     }
     let addedObjects = new Set();
     for (const target of usedTargets) {
@@ -7713,7 +7725,7 @@ export async function createBom(path, options) {
       );
     } else {
       thoughtLog(
-        `The user wants me to focus on a single type, '${projectType}'. Could there be an issue with auto-detection, or might they use another tool like cyclonedx-cli to merge all the generated BOMs later?`,
+        `The user wants me to focus on a single type, '${projectType}'.`,
       );
     }
   }

@@ -619,6 +619,13 @@ export async function parseSliceUsages(
   const typesToLookup = new Set();
   const lKeyOverrides = {};
   const usages = slice.usages || [];
+  // What should be the line number to use. slice.lineNumber would be quite coarse and could lead to reports such as
+  // #1670. Line numbers under targetObj and definedBy is a safe bet for dynamic languages, but occassionally leads to
+  // confusion when inter-procedural tracking works better than expected.
+  let sliceLineNumber;
+  if (["java", "jar"].includes(language)) {
+    sliceLineNumber = slice.lineNumber;
+  }
   // Annotations from usages
   if (slice.signature?.startsWith("@") && !usages.length) {
     typesToLookup.add(slice.fullName);
@@ -631,7 +638,9 @@ export async function parseSliceUsages(
   }
   for (const ausage of usages) {
     const ausageLine =
-      ausage?.targetObj?.lineNumber || ausage?.definedBy?.lineNumber;
+      sliceLineNumber ||
+      ausage?.targetObj?.lineNumber ||
+      ausage?.definedBy?.lineNumber;
     // First capture the types in the targetObj and definedBy
     for (const atype of [
       [ausage?.targetObj?.isExternal, ausage?.targetObj?.typeFullName],

@@ -585,6 +585,9 @@ export function createSemanticsSlices(basePath, options) {
       console.log(
         "TIP: Unable to detect the swift sdk needed to build this project. Try running the swift build command to check if this project builds successfully.",
       );
+      console.log(
+        "Check whether the project requires xcodebuild to build. Such projects are currently unsupported.",
+      );
       return;
     }
   }

@@ -12170,23 +12170,36 @@ export function executePodCommand(parameters, path, options) {
       console.log("Executing pod", parameters.join(" "));
     }
   }
-  const result = spawnSync("pod", parameters, {
+  const result = spawnSync(process.env.POD_CMD || "pod", parameters, {
     cwd: path,
     encoding: "utf-8",
     shell: isWin,
     maxBuffer: MAX_BUFFER,
   });
   if (result.status !== 0 || result.error) {
+    if (result?.stderr?.includes("Unable to find a pod")) {
+      console.log(
+        "Try again by running 'pod install' before invoking 'cdxgen'.",
+      );
+    }
+    if (process.env?.CDXGEN_IN_CONTAINER !== "true") {
+      console.log(
+        "Consider using the cdxgen container image (`ghcr.io/cyclonedx/cdxgen`), which includes cocoapods and additional build tools.",
+      );
+    } else if (!DEBUG_MODE) {
+      console.log(
+        "Something went wrong when trying to execute cocoapods -- Set the environment variable 'CDXGEN_DEBUG_MODE=debug' to troubleshoot cocoapods related errors",
+      );
+    }
     if (options.failOnError || DEBUG_MODE) {
-      console.error(result.stdout, result.stderr);
-      process.exit(1);
+      if (result.stdout) {
+        console.log(result.stdout);
+      }
+      if (result.stderr) {
+        console.log(result.stderr);
+      }
+      options.failOnError && process.exit(1);
     }
-    console.error(
-      "Something went wrong when trying to execute cocoapods -- Set the environment variable 'CDXGEN_DEBUG_MODE=debug' to troubleshoot cocoapods related errors",
-    );
-    throw new Error(
-      "Something went wrong when trying to execute cocoapods -- Set the environment variable 'CDXGEN_DEBUG_MODE=debug' to troubleshoot cocoapods related errors",
-    );
   }
   return result;
 }
@@ -12364,12 +12377,17 @@ function fullScanCocoaPod(dependency, component, options) {
     );
   }
   const podspecText = result.stdout;
-  const podspec = JSON.parse(
-    podspecText.substring(
-      podspecText.indexOf("{"),
-      podspecText.lastIndexOf("}") + 1,
-    ),
-  );
+  let podspec;
+  try {
+    podspec = JSON.parse(
+      podspecText.substring(
+        podspecText.indexOf("{"),
+        podspecText.lastIndexOf("}") + 1,
+      ),
+    );
+  } catch (e) {
+    return;
+  }
   const externalRefs = [];
   if (podspec.authors) {
     component.authors = [];

@@ -13,17 +13,21 @@ import {
 import { extractTags, findBomType, textualMetadata } from "./annotator.js";
 
 /**
- * Convert directories to relative.
+ * Convert directories to relative dir format carefully avoiding arbitrary relativization for unrelated directories.
  *
  * @param d Directory to convert
  * @param options CLI options
  *
  * @returns {string} Relative directory
  */
 function relativeDir(d, options) {
+  if (d.startsWith(getTmpDir())) {
+    return d;
+  }
   const baseDir = options.filePath || process.cwd();
   if (existsSync(baseDir)) {
-    return relative(baseDir, d);
+    const rdir = relative(baseDir, d);
+    return rdir.startsWith(join("..", "..")) ? d : rdir;
   }
   return d;
 }

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "11.2.0",
+  "version": "11.2.1",
   "description": "Creates CycloneDX Software Bill of Materials (SBOM) from source or container image",
   "homepage": "http://github.com/cyclonedx/cdxgen",
   "author": "Prabhu Subramanian <[email protected]>",
@@ -101,7 +101,7 @@
     "yoctocolors": "^2.1.1"
   },
   "optionalDependencies": {
-    "@appthreat/atom": "2.1.12",
+    "@appthreat/atom": "2.1.13",
     "@appthreat/cdx-proto": "1.0.1",
     "@cyclonedx/cdxgen-plugins-bin": "1.6.9",
     "@cyclonedx/cdxgen-plugins-bin-arm": "1.6.9",
@@ -115,14 +115,14 @@
     "compression": "^1.7.5",
     "connect": "^3.7.0",
     "jsonata": "^2.0.6",
-    "sequelize": "^6.37.4",
+    "sequelize": "^6.37.6",
     "sqlite3": "^5.1.7"
   },
   "files": ["*.js", "lib/**", "bin/", "data/", "types/"],
   "devDependencies": {
     "@biomejs/biome": "1.9.4",
     "jest": "^29.7.0",
-    "typescript": "^5.7.2"
+    "typescript": "^5.8.2"
   },
   "pnpm": {
     "onlyBuiltDependencies": ["sqlite3", "@biomejs/biome"],